• When you use FQDN cert + intermediate-certificate to setup HTTPS ingress, certificate is not being applied to virtual server.

• Using a Secret where the PEM data contains both CA cert and FQDN cert does not work.

• Specifically when querying the backend, LB returns the default cert instead of the one corresponding to the FQDN.

This issue occurs due to a bug in NCP logic, PKS does not support Certificate CA Chains (so... Intermediate CA Authorities). It supports single root CA only for now.

This is a known issue with NCP 2.3.x and will be fixed in future NCP releases.

As a work around, use single root CA certs only.